Home

Description

A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-04 | Updated 2025-12-04 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
MEDIUM: 4.7CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.8AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Server-Side Request Forgery

Product status

4.7.0
affected

4.7.1
affected

Timeline

2025-12-04:Advisory disclosed
2025-12-04:VulDB entry created
2025-12-04:VulDB entry last update

Credits

nobb (VulDB User) reporter

References

vuldb.com/?id.334246 (VDB-334246 | dayrui XunRuiCMS Email Setting admind45f74adbd95.php server-side request forgery) vdb-entry

vuldb.com/?ctiid.334246 (VDB-334246 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.692907 (Submit #692907 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Server-Side Request Forgery) third-party-advisory

github.com/...s-email_test-SSRF/xunruicms-email_test-SSRF.md exploit

cve.org (CVE-2025-14004)

nvd.nist.gov (CVE-2025-14004)